Akeyless SCP

Akeyless SCP enables secure copy via Secure Remote Access Bastion.

👍

Note:

Akeyless SCP currently supports only UNIX-like OS.

Prerequisite

Usage

  1. Download Akeyless SCP script:
curl -o akeyless-scp https://download.akeyless.io/Akeyless_Artifacts/Linux/SSH/akeyless-scp
chmod +x akeyless-scp
mv akeyless-scp /usr/local/bin
  1. Create your ~/.akeyless-sphere.rc :
# ---------------------------------------------------------------------
# Copyright © 2021  Akeyless Security LTD.
#
# All rights reserved
# ----------------------------------------------------------------------

#
# This file is a user-specific configuration file for akeyless-sphere Zero Trust Access
# it should be located in user home directory named .akeyless-sphere.rc
#

# identity_file - the path to the ssh-key to be signed and used for Zero Trust session (if empty, default ssh-key is used)
identity_file=""

# cert_issuer_name - full path to the Akeyless SSH Cert Issuer to use for Zero Trust session
cert_issuer_name=""

# profile - Akeyless CLI profile to be used
profile="default"

# Akeyless CLI binary (if needed)
AKEYLESS_CLI=akeyless

# AKEYLESS_API_GW - URL for Akeyless API Gateway (RestAPI)
AKEYLESS_API_GW=""

# Following are used for control service, to configure the temporary session:
# ${BASTION_API_PROTO_}://"${BASTION_API_PREFIX_}${JB_SRV_}${BASTION_API_PATH_}":"${BASTION_API_PORT_}
#
BASTION_API_PREFIX_=""
BASTION_API_PATH_=""
BASTION_API_PROTO_=http
BASTION_API_PORT_=9900

# Allow caching of temp session creds
SESSION_CACHING=no

# Display connection stages
DISPLAY_STAGES=yes

# Use SSH Agent to store user's identity keys.
USE_SSH_AGENT=yes

The latest version of this file can be found in Akeyless official artifacts.

Set the following settings as follow:

CERT_ISSUER_NAME - Full path to the Akeyless SSH Certificates Issuer item.

AKEYLESS_PROFILE - Set the default profile that will be used from your Akeyless Command Line Interface (CLI). By default, it's using the default profile of your Akeyless CLI.

AKEYLESS_GW_REST_API - Set your Akeyless Gateway URL on port 8080 for Zero-Knowledge items and for internal network access.

BASTION_API_PROTO - Default is http. Set to https when your Secure Remote Access Bastion is configured with TLS.

BASTION_API_PORT - Default is set to 9900. Set your matching ssh-sra cluster service port.

BASTION_SSH_PORT - Default is set to 22. Set your matching ssh-sra cluster service port.

Optional when working with Load Balancers, you can set the exact FQDN of your ssh-sra service, which listens to the bastion api control port:

BASTION_API_PREFIX - Set your FQDN prefix as your load balancer settings.

BASTION_API_PATH - Set your FQDN path as your load balancer settings.

Where the URL will be set as follow:

${BASTION_API_PROTO}://"${BASTION_API_PREFIX}${BASTION_HOST}${BASTION_API_PATH}":"${BASTION_API_PORT}

  1. Use akeyless-SCP command to perform secure copy to remote target server via Akeyless Secure Remote Access Bastion:

Full options list:

Usage: /usr/local/bin/akeyless-scp <[email protected][:port]> via <bastion-server[:port]> [options]

optional arguments:
    --cert-issuer-name      Akeyless certificate issuer name [mandatory]
    --local-file            File to copy [mandatory]
    --remote-file           File to copy [default is '~/']
    --direction             upload/download [default is 'upload']
    --profile               Use a specific profile from your Akeyless CLI
    -i                      Selects a file from which the identity (private key) for public key authentication is read [default is '~/.ssh/id_rsa']
    --ssh-extra-args        Use to add offical SSH arguments (except -i)

For example, this command will start to copy a local file, to a remote server.

akeyless-scp [email protected] via <sra-bastion-ssh-service> --local-file /full/local/location/file --remote-file /remote/location/file